CVE: 2018-1271 found in Spring Web MVC - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Web MVC
Description	Spring Web MVC
Language	JAVA
Vulnerability	Directory Traversal
Vulnerability description	spring-webmvc is vulnerable to directory traversal attack. The vulnerability exists due to the improper sanitization of the path values which allows valid Windows files to be served as static resources. This vulnerability only affects spring-webmvc running on Windows which allows serving files with the file: locator, does not use Spring Security with versions patched for CVE-2018-1199, and use Tomcat/WildFly as the server.
CVE	2018-1271
CVSS score	4.3
Vulnerability present in version/s	4.0.0.RELEASE-4.3.14.RELEASE
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	4.3.15.RELEASE
Library latest version	6.0.0
Fix	To mitigate this issue, apply fix patch.

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/949?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/6055
• Patch: https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa

[github-actions[bot]]

Veracode issue link to PR: https://github.com/julz0815/test-action/pull/184